Ruleset Update Summary - 2025/12/29 - v11092

rulesbot · December 29, 2025, 9:22pm

Summary:

18 new OPEN, 36 new PRO (18 + 18)

Added rules:

Open:

2066484 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (depsairryosp .shop) (malware.rules)
2066485 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (depsairryosp .shop) in TLS SNI (malware.rules)
2066486 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scarleu .cyou) (malware.rules)
2066487 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (scarleu .cyou) in TLS SNI (malware.rules)
2066488 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tuvalul .cyou) (malware.rules)
2066489 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tuvalul .cyou) in TLS SNI (malware.rules)
2066490 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (castous .cyou) (malware.rules)
2066491 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (castous .cyou) in TLS SNI (malware.rules)
2066492 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (phrupmv .su) (malware.rules)
2066493 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (phrupmv .su) in TLS SNI (malware.rules)
2066494 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atalowh .sbs) (malware.rules)
2066495 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atalowh .sbs) in TLS SNI (malware.rules)
2066496 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pixelupf .live) (malware.rules)
2066497 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pixelupf .live) in TLS SNI (malware.rules)
2066498 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sinitjq .cyou) (malware.rules)
2066499 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sinitjq .cyou) in TLS SNI (malware.rules)
2066500 - ET INFO MongoDB SASL Authentication Detected (info.rules)
2066501 - ET EXPLOIT MongoDB Unauthenticated Memory Leak (CVE-2025-14847) (exploit.rules)

Pro:

2865494 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2865495 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2865496 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2865497 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2865498 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2865499 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2865500 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2865501 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2865502 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2865503 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2865504 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2865505 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2865506 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2865507 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2865508 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2865509 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2865510 - ETPRO MALWARE Observed DNS Query to TA416 Domain (malware.rules)
2865511 - ETPRO MALWARE Observed TA416 Domain in TLS SNI (malware.rules)

Modified inactive rules:

2001017 - ET ADWARE_PUP SideStep Bar Reporting Data (adware_pup.rules)
2003434 - ET EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt (exploit.rules)
2008619 - ET ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow (activex.rules)
2008826 - ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion (web_specific_apps.rules)
2009141 - ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion (web_specific_apps.rules)
2009453 - ET MALWARE BANLOAD Downloader GET Checkin (malware.rules)
2009754 - ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion (web_specific_apps.rules)
2010501 - ET ADWARE_PUP Executable purporting to be .cfg file with no Referer - Likely Malware (adware_pup.rules)
2010822 - ET MALWARE smain?scout=acxc Generic Download landing (malware.rules)
2016585 - ET EXPLOIT_KIT Sweet Orange applet with obfuscated URL March 03 2013 (exploit_kit.rules)
2017257 - ET CURRENT_EVENTS Fake FedEX/Pony spam campaign URI Struct 2 (current_events.rules)
2019743 - ET EXPLOIT_KIT SPL2 EK PluginDetect Data Hash Nov 18 2014 (exploit_kit.rules)
2020196 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
2020331 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
2020421 - ET MALWARE Win32/Gulcrypt.B Downloading components (malware.rules)
2021933 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
2021934 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
2023295 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
2024069 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM) (malware.rules)
2100637 - GPL SCAN Webtrends Scanner UDP Probe (scan.rules)
2800174 - ETPRO EXPLOIT CA Multiple Products DBASVR RPC Server Crafted Pointer Buffer Overflow 3 (exploit.rules)
2801191 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x3F (exploit.rules)
2801310 - ETPRO EXPLOIT Oracle GoldenGate Veridata Server XML SOAP Request Buffer Overflow (exploit.rules)
2801405 - ETPRO MALWARE Unknown RBN Based BiFrost Botnet Response (malware.rules)
2801583 - ETPRO NETBIOS Multiple Load Library Vulns ibfs32.dll - SMB-DS Unicode (netbios.rules)
2801860 - ETPRO MALWARE Rogue AV AntimalwareDoctor.B Checkin (malware.rules)
2802150 - ETPRO EXPLOIT HP Data Protector Backup Client Service GET_FILE Buffer Overflow (UTF-16 Little-Endian ) (exploit.rules)
2802892 - ETPRO EXPLOIT HP Intelligent Management Center img Buffer Overflow (exploit.rules)
2803272 - ETPRO MALWARE W32/Koobface.hcy Checkin (malware.rules)
2803743 - ETPRO MALWARE Trojan.Win32.Buzus.hond Checkin 3 (malware.rules)
2804656 - ETPRO MALWARE Win32/TrojanDownloader.Banload.QOT Checkin (malware.rules)
2804992 - ETPRO MALWARE Trojan-Downloader.Win32.Agent.tdzl Checkin (malware.rules)
2805107 - ETPRO MALWARE Win32/Meredrop Checkin (malware.rules)
2805423 - ETPRO MALWARE Worm.Win32.Flame.a Checkin (malware.rules)
2805727 - ETPRO MALWARE Win32/Zlob.W Checkin (malware.rules)
2807541 - ETPRO MALWARE Trojan.Win32.Kargatroj.a Checkin (malware.rules)
2807955 - ETPRO MALWARE Win32/Injector.Autoit.ZZ (malware.rules)
2809311 - ETPRO WEB_CLIENT Possible Internet Explorer Use After Free CVE-2014-6369 (web_client.rules)
2812823 - ETPRO MALWARE Malicious SSL certificate detected (Fareit CnC) (malware.rules)
2813025 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.de Checkin 4 (mobile_malware.rules)
2814114 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Chyapo.b Checkin (mobile_malware.rules)
2815066 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Pletor.e Checkin (mobile_malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/10/06 - v11033 Ruleset Updates	102	October 6, 2025
Ruleset Update Summary - 2025/07/25 - v10978 Ruleset Updates	76	July 25, 2025
Ruleset Update Summary - 2025/05/20 - v10931 Ruleset Updates	101	May 20, 2025
Ruleset Update Summary - 2025/05/01 - v10918 Ruleset Updates	96	May 1, 2025
Ruleset Update Summary - 2024/10/25 - v10728 Ruleset Updates	109	October 25, 2024

Ruleset Update Summary - 2025/12/29 - v11092

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics